Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Minor Security fix for `Form::button()` #581

Merged
merged 1 commit into from

2 participants

@jails
Collaborator

Change the string template of the button element for making it's content escaped by default using $title instead of $name.

@nateabele nateabele merged commit 45a6cc4 into UnionOfRAD:dev
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 14, 2012
  1. @jails
This page is out of date. Refresh to see the latest.
View
17 template/helper/Form.php
@@ -37,7 +37,7 @@ class Form extends \lithium\template\Helper {
* @var array
*/
protected $_strings = array(
- 'button' => '<button{:options}>{:name}</button>',
+ 'button' => '<button{:options}>{:title}</button>',
'checkbox' => '<input type="checkbox" name="{:name}"{:options} />',
'checkbox-multi' => '<input type="checkbox" name="{:name}[]"{:options} />',
'checkbox-multi-group' => '{:raw}',
@@ -493,6 +493,21 @@ protected function _fields(array $fields, array $options = array()) {
}
/**
+ * Generates an HTML button `<button></button>`.
+ *
+ * @param string $title The title of the button.
+ * @param array $options Any options passed are converted to HTML attributes within the
+ * `<button></button>` tag.
+ * @return string Returns a `<button></button>` tag with the given title and HTML attributes.
+ */
+ public function button($title = null, array $options = array()) {
+ $defaults = array('escape' => true);
+ list($scope, $options) = $this->_options($defaults, $options);
+ list($title, $options, $template) = $this->_defaults(__METHOD__, $title, $options);
+ return $this->_render(__METHOD__, 'button', compact('type', 'title', 'options', 'value'), $scope);
+ }
+
+ /**
* Generates an HTML `<input type="submit" />` object.
*
* @param string $title The title of the submit button.
View
9 tests/cases/template/helper/FormTest.php
@@ -1241,9 +1241,16 @@ public function testFormCreationWithNoContext() {
* Tests that magic method support can be used to automatically generate a `<button />` tag
* based on the default string template.
*/
- public function testAutoMagicButton() {
+ public function testButton() {
$result = $this->form->button('Foo!', array('id' => 'bar'));
$this->assertTags($result, array('button' => array('id' => 'bar'), 'Foo!', '/button'));
+
+ $result = $this->form->button('Continue >', array('type' => 'submit'));
+ $this->assertTags($result, array(
+ 'button' => array('type' => 'submit', 'id' => 'Continue'),
+ 'Continue &gt;',
+ '/button'
+ ));
}
/**
Something went wrong with that request. Please try again.